Articles

WannaCry: What it is and what to do about it

For those of us in the IT Security profession, Friday May 12 was Black Friday. Networks in healthcare and critical infrastructure across at least 99 countries have been infected by the WannaCry ransomware worm, aka WanaCrypt, WannaCrypt or Wcry. The bulk of infections were reported in Russia, Taiwan and Spain.

First observed targeting UK hospitals and Spanish banks, big companies like Telefónica, Vodafone and FedEx had some of their systems infected with the threat that also hit rail stations and universities. The Spanish CERT issued an alert warning the organizations and confirming that the malware was rapidly spreading.

Is it over? Will it happen again?

A sample of malware was reverse engineered and found to contain a “kill switch“. The malware tries to resolve a particular domain name and if it exists, it self destructs. This domain has been registered and so, if you are infected and this particular strain is able to successfully resolve that domain name using your internet connection and DNS settings, then it will apparently terminate itself. Obviously hope is not a strategy and assuming that we don’t have todo anything now is a big mistake. It is inevitable that a new strain which won’t have any such kill switch will emerge. Accordingly, it is imperative to strengthen defenses.

How it spreads

Initial infection is possibly via phishing email. CERT also reported that the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise. Once the infection has taken root, it spreads across the network looking for new victims using the Server Message Block (SMB) protocol. The ransomware uses the Microsoft vulnerability MS17-10[1]. This vulnerability was used by ETERNALBLUE, an exploit that was developed by the NSA and released to the public by the Shadow Brokers, a hacker group on April 14, 2017. Microsoft released a patch for this vulnerability on March 14, one month before the release of the exploit.

What it does

Once the infection is on the machine, it encrypts files and shows a ransom note asking for $300 or $600 worth of bitcoin.

Technical details

As described by CERT, the WannaCry ransomware is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.

The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.

This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

Reviewed the latest vulnerability scan results from your network (if subscribed to ETVAS service) for vulnerable machines. ETVAS service subscribers who would like us to scan your network again can request us at ecc@eventtracker.com and we will perform a scan at your convenience.

Updated the Active Watch List in your instance of EventTracker with the latest Indicators of Compromise (IOCs). This includes MD5 hashes of the malware variants, IP addresses of WannaCry C&C servers and domain names used by the malware

Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.

Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.

Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.

Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.